1. CS898AT – Bitcoins and Cryptocurrencies
Prof. Murtuza Jadliwala
Note: most of the slides used in this course are derived from those available for the book “Bitcoins and Cryptocurrencies Technologies – A Comprehensive Introduction”, Arvind Narayanan, Joseph Bonneau, Edward Felten, Andrew Miller & Steven Goldfeder, 2016, Princeton University Press.
Department of Electrical Engineering and Computer Science

2. How Bitcoin Achieves Decentralization
Lecture 2
How Bitcoin Achieves Decentralization

3. Centralization vs. decentralization

4. Centralization vs. decentralization
Competing paradigms that underlie many digital technologies
Centralized: Online Social Networking Services (Facebook, Google)
Decentralized: Internet, service and the SMTP protocol
Decentralization is not all-or-nothing: For example, . has a decentralized protocol (e.g., SMTP), but dominated by centralized webmail services

5. Aspects of decentralization in Bitcoin
Who maintains the ledger?
Who has authority over which transactions are valid?
Who creates new bitcoins?
Who determines how the rules of the system change?
How do bitcoins acquire exchange value?
Beyond the protocol:
Exchanges, Wallet software, Service providers...
Our focus in this chapter

6. Aspects of decentralization in Bitcoin
Peer-to-peer network:
Open to anyone, Low barrier to entry
Mining:
Open to anyone, but inevitable concentration of power
often seen as undesirable
Updates to software:
Core developers trusted by community, have great power

7. Distributed consensus

8. Bitcoin’s key challenge
Key technical challenge of decentralized e-cash: distributed consensus
or: how to decentralize ScroogeCoin

9. Why consensus protocols?
Traditional motivation: reliability in distributed systems
Distributed key-value store enables various applications: DNS, public key directory, stock trades …

10. Defining distributed consensus
There are “n” nodes, each have an input value. Some nodes are faulty or malicious. A distributed consensus protocol has the following two properties:
The protocol terminates and all honest nodes are in agreement on the same value
This value must have been proposed by some honest node
What does this mean in the context of Bitcoins?

11. Bitcoin is a peer-to-peer system
When Alice wants to pay Bob: she broadcasts the transaction to all Bitcoin nodes
Pay to pkBob : H( )
signed by Alice
Note: Bob’s computer may not be in the picture or online!
In fact, running a Bitcoin node is not important for Bob to receive the funds. The Bitcoins will be his regardless

12. What nodes need to reach a consensus on?
Which transactions were broadcast on the network
Order in which these transactions occurred
 Result of the consensus protocol: Single, global transaction ledger for the system

13. How consensus could work in Bitcoin
At any given time (in the bitcoin peer-to-peer network):
All nodes have a sequence of blocks of transactions (called, ledger or block chain) they’ve reached consensus on
Each node has a set of outstanding transactions it’s heard about (but not yet included in the block chain)
For these transactions consensus has not yet happened
Each node may have a slightly different outstanding transaction pool

14. How consensus could work in BitcoinTx … Tx … Tx … Tx …
Consensus
protocol Tx … Tx …
OK to select any valid block, even if proposed by only one node

15. Why consensus is hard (esp. in the Bitcoin context)?
Nodes may crash
Nodes may be malicious
Peer-to-peer network is imperfect
Not all pairs of nodes connected (and may participate)
Faults in network
Latency
No notion of global time  constraints the set of consensus algorithms that can be used
Analogy of talking on the phone and having a lag

16. Many impossibility results
Byzantine generals problem: Consensus impossible to achieve if 1/3 or more generals are traitors
Fischer-Lynch-Paterson (deterministic nodes): consensus impossible with a single faulty node (under certain conditions)

17. Some well-known protocols
Example: Paxos
Never produces inconsistent result, but can (rarely) get stuck

18. Understanding impossibility results
The earlier results proven for specific models
Specifically, distributed databases
A distributed database model (and assumptions under it) doesn’t carry over to Bitcoins!
These results say more about the model than about the problem
What does it mean?
It may be possible to develop consensus protocols that work for Bitcoin networks

19. Bitcoin consensus: theory & practice
Bitcoin consensus works better in practice than in theory
Theory is still catching up
BUT theory is important, can help predict unforeseen attacks

20. Some things Bitcoin does differently for consensus
Introduces incentives
Possible only because it’s a currency!
So in Bitcoins we do not have to solve the consensus problem in general, but only the one for a currency system
Embraces randomness
Does away with the notion of a specific starting and ending point for consensus
Consensus happens over long time scales — about 1 hour
In summary, consensus in Bitcoins is not deterministic – Even at the end of 1 hour nodes may not be 100% sure that their view of the block chain is the consensus view
Although the probability of that not being the case is very low

21. Consensus without identity: the block chain

22. Why identity is needed?
Answer: It makes the consensus protocol easy to design! But how?
Pragmatic: some protocols need node IDs
Protocols could have instructions of the form “Now node with lowest ID, do something..”
Without identities, instructions are constrained
Security: assume less than 50% malicious
If nodes have identities, and difficult to create new node identities then some assumptions about the number of malicious nodes can be made
This can be used to prove certain security properties

23. Why don’t Bitcoin nodes have identities?
Identity is hard in a P2P system — Sybil attack
Pseudonymity is a goal of Bitcoin

24. How to overcome lack of identity in Bitcoins?
Weaker assumption: select random node in the bitcoin network
Analogy: lottery or raffle
When tracking & verifying identities is hard, we give people tokens, tickets, etc.
Now we can pick a random ID & select that node

25. Key idea: implicit consensus
In each round, random node is picked
This node proposes the next block in the chain
Other nodes implicitly accept/reject this block
by either extending it
or ignoring it and extending chain from earlier block
Every block contains hash of the block it extends

26. Consensus algorithm (simplified)
New transactions are broadcast to all nodes
Each node collects new transactions into a block
In each round a random node gets to broadcast its block
Other nodes accept the block only if all transactions in it are valid (unspent, valid signatures)
Nodes express their acceptance of the block by including its hash in the next block they create

27. Now let’s analyze if this works!
Assume a malicious adversary.
Can this adversary subvert the implicit consensus process by:
Stealing Bitcoins?
Denial of service?
Double spend?

28. What can a malicious node do?
Double-spending attack
CA → B
Pay to pkB : H( )
signed by A
CA → A’
Pay to pkA’ : H( )
signed by A
Honest nodes will extend the longest valid branch
In practice nodes extend the block that they first detect on the peer-to-peer network (not a solid rule)
Can’t create new transactions from someone else’s address, or modify them.
Suppressing tx’s is only a minor annoyance.

29. From Bob the merchant’s point of view
1 confirmation
3 confirmations
CA → B
CA → A’
Double-spend probability decreases exponentially with # of confirmations
Most common heuristic: 6 confirmations
double-spend attempt
Hear about CA → B transaction
0 confirmations

30. Recap
Protection against invalid transactions is cryptographic, but enforced by consensus
Protection against double-spending is purely by consensus
You’re never 100% sure a transaction is in consensus branch. Guarantee is probabilistic

31. Incentives and proof of work

32. Assumption of honesty is problematic
Can we give nodes incentives for behaving honestly?
Everything so far is just a distributed consensus protocol
But now we utilize the fact that the currency has value
Can we reward nodes that created these blocks?
Can we penalize the node that created this block?

33. Incentive 1: Block Reward
Creator of block gets to
include special coin-creation transaction in the block
choose recipient address of this transaction
Value is fixed: currently 25 BTC, halves every 210,000 blocks created (or every 4 years at the current rate of block creation)
We are now in the second period – first period block reward was 50 BTC
Block creator gets to “collect” the reward only if the block ends up on long-term consensus branch!
Subtle but powerful trick: Incentivizes nodes to behave in way that will get other nodes to extend their block

34. There’s a finite supply of bitcoins
Block reward is how new bitcoins are created
Runs out in No new bitcoins unless rules change
Does that mean that after 2040, nodes will no longer have incentive to behave honestly?
Not really!
Total supply: 21 million
Year
Total bitcoins in circulation
First inflection point: reward halved from 50BTC to 25BTC

35. Incentive 2: Transaction Fees
Creator of transaction can choose to make output value less than input value
Remainder is a transaction fee and goes to block creator (that first puts that transaction into that block)
Purely voluntary, like a tip
But system will evolve, and will become mandatory, as Block rewards run out

36. Remaining problems How to pick a random node?
How to avoid a free-for-all due to rewards?
Everybody may want to run a bitcoin node in order to get this free reward (lock reward and Transaction fee)
How to prevent Sybil attacks?
An adversary may create a large number of Sybil nodes to subvert the consensus process

37. Proof of work
To approximate selecting a random node: select nodes in proportion to a resource that no one can monopolize (we hope)
In proportion to computing power: proof-of-work (Used in Bitcoins)
In proportion to ownership of the currency: proof-of-stake (Not used in Bitcoins – but a legitimate model used in other cryptocurrencies)

38. Equivalent views of proof of work
Select nodes in proportion to computing power
Let nodes compete for right to create block
Make it moderately hard to create new identities

39. Hash puzzles To create block, find nonce s.t.
prev_h Tx
To create block, find nonce s.t.
H(nonce ‖ prev_hash ‖ tx ‖ … ‖ tx) is very small
In other words, H(nonce ‖ prev_hash ‖ tx ‖ … ‖ tx) < target
Output space of hash
Target
space
If hash function is secure (satisfies puzzle-friendliness):
only way to succeed is to try enough nonces until you get lucky
If Alice has 100x more computing power than Bob it doesn’t mean she always wins the race. It means she has about a 99% chance of wining. In the long run Bob will create 1% of the blocks

40. Advantage of such a PoW system?
It completely does away with the problem of magically picking a random node (to propose a block)
Nodes independently compete by attempting to solve hash puzzles
Once in a while, one will succeed and propose the next block
Result: Such a system is completely decentralized  No one gets to decide which node proposes the next block

41. PoW property 1: difficult to compute
Difficulty varies with time
As of 2015: difficulty level is over 1020 hashes/block
i.e., size of target space <= 1/1020 size of hash’s output space
Such a computation not possible with commodity laptops
Only some nodes bother to compete — miners
This process of repeatedly solving hash puzzles is called bitcoin mining
Technically anyone can mine  however mining power is concentrated in a mining ecosystem

42. PoW property 2: parameterizable cost
Nodes automatically re-calculate the target (size of target space as a fraction of the output space) every two weeks
Goal: average time between blocks = 10 minutes
In other words, recalculation takes place after 2,016 blocks!
Prob (Alice wins next block) =
fraction of global hash power she controls
what happens if time b/w blocks is too low or too high

43. Why is such a re-adjustment needed?
It is inefficient if blocks are proposed too close to each other
Would not be able to put multiple transactions in a single block!
Why 10 minutes?
Not significant!
Can change it to 5 minutes, and system would still work

44. Key security assumption
Bitcoin attacks infeasible if majority of miners weighted by hash power follow the protocol (or are honest)
This will ensure a more than 50% chance that the next block is proposed by a honest node!

45. Solving hash puzzles is probabilistic
Time to next block (entire network)
Probability density 10
minutes

46. PoW property 3: trivial to verify
Nonce must be published as part of block
Other miners simply verify that
H(nonce ‖ prev_hash ‖ tx ‖ … ‖ tx) < target
Advantage?
No centralized verifier needed! Any node or miner can verify that the block was correctly mined

47. Mining economics
Complications:
Fixed (hardware) vs. variable (electricity) costs
Reward depends on rate at which miners propose blocks (ratio of their hash rate to the global hash rate)
Cost in dollars, but reward in BTC  profit depends on exchange rate
Solving 1020 hashes to obtain 25 BTC at current exchange rate is profitable!
If mining reward (block reward + Tx fees)
>
mining cost
(hardware + electricity cost) →
Profit

48. Putting it all together

49. Recap Identities Transactions P2P network Block chain & consensus
Hash puzzles & mining

50. Bitcoin has three types of consensus
Value
State
Rules

51. Bitcoin is bootstrapped
security of block chain
value of currency
health of mining ecosystem

52. What can a “51% attacker” do?
Steal coins from existing address?
Suppress some transactions?
From the block chain
From the P2P network
Change the block reward?
Destroy confidence in Bitcoin? ✗ ✓ ✓✓

53. Remaining questions How do we get from consensus to currency?
What else can we do with consensus?